Cyberattacks as an Act of War (or not)
Any significant cyber attack in the measure of damage, safety, information loss, degradation of essential services, and civil functions (traffic lights, critical infrastructure) should be defined as an act of warfare. However, defining cyber-attacks as a type of warfare and classifying cyber-attacks as an act of war can come to mean different things. In the case of deciding whether cyber-attacks are a type of warfare, undoubtedly yes. In a warring conflict, cyber-attacks are a tool and weapon that can be used to pursue a political objective. However, are all cyber-attacks defined as cyber warfare? This is where the clarity begins to diminish. For this, we have to look at the intention of the threat actor to determine if the act is, in fact, a tool of war, noting that the cyber-attack could be the same attack in both scenarios but be considered an act of terrorism or manslaughter if it is not used as a tool of war in a political conflict.
Adhering to paradoxical trinities of wars past, cyber-attacks without political objectives would not be considered an act of war. Instead, they would be prosecuted on the grounds for which laws they violated. For example, a nation attacking the United States with a cyber-attack causing intentional damages and casualties would be an act of war. However, an independent group doing the same for ideological reasons would be considered an act of terrorism. It would be without the legal umbrella that comes with a declaration of war between two entities.
Arquilla and Ronfeldt made a clarifying observation that may help warfare classicists understand how cyber attacks could be considered warfare - "both netwar and cyberwar revolve around information and communications matters, at a deeper level they are forms of war about "knowledge"- about who knows what, when, where, and why, and about how secure a society or a military is regarding its knowledge of itself and its adversaries." (5). Additionally, with the bonus of the potential for destruction being able to be sent over the same wires as the information described courtesy of malware.
For those who like to characterize warfare with at least some element of lethality, the occupation of recent technology proves otherwise (Calvo 3). Is not having the power to start an insurrection considered dangerous to democracy? What about the numerous historical events where limited use of force achieved military objectives during wartime? Demonstrated by events such as Beijing's strategy to occupy the South China Sea using non-lethal means (Calvo).
Alternatively, Rid makes an interesting counterpoint in declaring cyberattacks as legitimate acts of warfare, calling incidents like the Israeli and United States joint operation of slowing down and sabotaging Iran's development of nuclear weapons by releasing a custom piece of malware called "Stuxnet" (Rid 83). Rid points out, particularly in this scenario, "although saboteurs and spies do act politically, they often seek to avoid attribution, unlike those who launch acts of war" (83). However, this is a tricky definition to try to abide by because the same argument could be made by troops operating secretly to gain the element of surprise. Would that then be considered spying and espionage? There is not much difference between a cyber attack in secret and a cyberattack announced, which brings back an earlier point on the importance of intention in classification.
The danger in declaring any significant cyberattack as an act of war could mean the United States could find itself in the middle of a war with every nation that has sent a cyber attack in recent years. Clarke makes an interesting point on this topic, commenting on the reality of cyberwar, noting that it is not necessarily enemy nations that are the main culprits but allied nations as well. "Most of the major military powers are also one another's trading partners, commentators cannot envision the circumstances that could turn their relations to hostility" (257).
Additionally, Calvo observed that the line between our physical world and the cyber realm is thinning. In warfare terms, a country in a cyberwar with the United States is no longer contained between both entities' militaries engaged; it involves civilians and civilian infrastructure. The added danger to this reality is how wars in the future could be as integrated into our daily lives as U.S. citizens just as much as the technology already is. Even more so, if the U.S. is involved in multiple wars simultaneously, citizens could easily land in the crosshairs of these conflicts not just because of the intersection between the technology produced in the private sector used by the military; but also because of accessibility. Due to technology, American citizens are now accessible over the internet to anyone in the world. This issue is not unique to the Americas; it is also true in any developing nation with a halfway decent internet connection or cellular service. However, the difference in the U.S. is how technology is integrated into everyone's daily lives. Fridges, toasters, cars, medical devices, home thermostats… you name it; it probably has an IP address. This may not seem obvious, but what if an adversarial nation could start causing specific cars to stop abruptly on the highway? Or collectively drive all the Teslas in a city into the capital building? These scenarios are possible with the described interconnectedness in a capitalist democracy.
It is not all doom and gloom; technology has improved the quality of life for more than it has negatively affected, though this may not always be the case as more troubling events develop. With the dynamic nature and rapid speed of the internet and subsequently connected systems, it is clear that war just got much more complicated. Because there is little to no difference between some cyberattacks, like the example of Stuxnet, that malware could have been written by a non-governmental entity and unleashed for different motives. The malware might be identical, but one may be considered an act of war and the other not. Why? The argument here is that the answer lies in the intention of the attacker.
The most concerning element of this new reality is the real-world consequences of these cyber wars fought over the wires and in the shadows. It is hard to defend against something that cannot be seen, and though the military may be well keen on this, this is not the typical mindset of the average person. With the blurring of lines between the cyber realms and the physical world Calvo described, this also means the inevitable convergence of the battlefield and the world of the global citizen. As mentioned previously, this is not unique to the United States; this is applicable anywhere with internet connectivity and dependencies.
The good news is, there is still time to plan around these scenarios, and more companies are joining the effort by taking security maturity seriously. Doing so minimizes the attackable surface available to outside entities and protects their clients and employees, who are often U.S. citizens. There is hope yet that the United States can form a united front against the outside world through cybersecurity.
Arquilla, John, and David Ronfeldt. In Athena’s Camp: Preparing for Conflict in the Information Age. 1st ed., RAND Corporation, 1997.
Calvo, Alex. Calvo, A. "Cyberwar is war: A critique of “Hacking can reduce real-world violence”." Small Wars Journal (2014).
Clarke, Richard, and Robert Knake. Cyber War: The Next Threat to National Security and What to Do About It. Reprint, Ecco, 2011.
Rid, Thomas .“Cyberwar and Peace: Hacking Can Reduce Real-World Violence,” Foreign Affairs, Nov./Dec. 2013,
